unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed
* bug#47319: python-lxml is vulnerable to CVE-2021-28957
@ 2021-03-22 14:09 Léo Le Bouter via Bug reports for GNU Guix
  2021-03-23 15:29 ` Léo Le Bouter via Bug reports for GNU Guix
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Léo Le Bouter via Bug reports for GNU Guix @ 2021-03-22 14:09 UTC (permalink / raw)
  To: 47319

[-- Attachment #1: Type: text/plain, Size: 488 bytes --]

CVE-2021-28957	21.03.21 06:15
lxml 4.6.2 places the HTML action attribute into defs.link_attrs (in
html/defs.py) for later use in input sanitization, but does not do the
same for the HTML5 formaction attribute.

Upstream fixed it in 4.6.3 (
https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d
), so we should probably upgrade to that.

Has lots of dependents so I suppose it needs grafting? Is that useful
and does it work for Python packages?

Léo

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* bug#47319: python-lxml is vulnerable to CVE-2021-28957
  2021-03-22 14:09 bug#47319: python-lxml is vulnerable to CVE-2021-28957 Léo Le Bouter via Bug reports for GNU Guix
@ 2021-03-23 15:29 ` Léo Le Bouter via Bug reports for GNU Guix
  2021-03-23 17:55 ` Leo Famulari
  2022-03-23  2:32 ` Maxim Cournoyer
  2 siblings, 0 replies; 5+ messages in thread
From: Léo Le Bouter via Bug reports for GNU Guix @ 2021-03-23 15:29 UTC (permalink / raw)
  To: 47319

[-- Attachment #1: Type: text/plain, Size: 156 bytes --]

I pushed a9d540cfa87ef3a5de3296188f650fb0d037efbd on core-updates, how
to fix it on master considering the amount of dependents remains to be
agreed on.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* bug#47319: python-lxml is vulnerable to CVE-2021-28957
  2021-03-22 14:09 bug#47319: python-lxml is vulnerable to CVE-2021-28957 Léo Le Bouter via Bug reports for GNU Guix
  2021-03-23 15:29 ` Léo Le Bouter via Bug reports for GNU Guix
@ 2021-03-23 17:55 ` Leo Famulari
  2021-04-05 23:54   ` Mark H Weaver
  2022-03-23  2:32 ` Maxim Cournoyer
  2 siblings, 1 reply; 5+ messages in thread
From: Leo Famulari @ 2021-03-23 17:55 UTC (permalink / raw)
  To: 47319

[-- Attachment #1: Type: text/plain, Size: 1222 bytes --]

On Mon, Mar 22, 2021 at 03:09:24PM +0100, Léo Le Bouter via Bug reports for GNU Guix wrote:
> CVE-2021-28957	21.03.21 06:15
> lxml 4.6.2 places the HTML action attribute into defs.link_attrs (in
> html/defs.py) for later use in input sanitization, but does not do the
> same for the HTML5 formaction attribute.

Thanks for the notification.

I checked on some other distros that, like us, try to avoid major
updates of packages with a lot of dependents:

https://security-tracker.debian.org/tracker/CVE-2021-28957
https://access.redhat.com/security/cve/cve-2021-28957

So, both Debian and Red Hat are still shipping the vulnerable packages.
At least, we are in good company. We would monitor the Debian page and
copy their patch, if they decide to fix the bug.

> Upstream fixed it in 4.6.3 (
> https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d
> ), so we should probably upgrade to that.
> 
> Has lots of dependents so I suppose it needs grafting? Is that useful
> and does it work for Python packages?

Grafting Python packages is not something we've done in the past, as far
as I can tell from reading the Git log, although I don't recall know if
it works or not.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* bug#47319: python-lxml is vulnerable to CVE-2021-28957
  2021-03-23 17:55 ` Leo Famulari
@ 2021-04-05 23:54   ` Mark H Weaver
  0 siblings, 0 replies; 5+ messages in thread
From: Mark H Weaver @ 2021-04-05 23:54 UTC (permalink / raw)
  To: Leo Famulari, 47319

Leo Famulari <leo@famulari.name> writes:

> On Mon, Mar 22, 2021 at 03:09:24PM +0100, Léo Le Bouter via Bug reports for GNU Guix wrote:
>> Has lots of dependents so I suppose it needs grafting? Is that useful
>> and does it work for Python packages?
>
> Grafting Python packages is not something we've done in the past, as far
> as I can tell from reading the Git log, although I don't recall know if
> it works or not.

I see no reason why grafting a python package wouldn't work, although
admittedly my knowledge of Python is weak.

      Mark




^ permalink raw reply	[flat|nested] 5+ messages in thread

* bug#47319: python-lxml is vulnerable to CVE-2021-28957
  2021-03-22 14:09 bug#47319: python-lxml is vulnerable to CVE-2021-28957 Léo Le Bouter via Bug reports for GNU Guix
  2021-03-23 15:29 ` Léo Le Bouter via Bug reports for GNU Guix
  2021-03-23 17:55 ` Leo Famulari
@ 2022-03-23  2:32 ` Maxim Cournoyer
  2 siblings, 0 replies; 5+ messages in thread
From: Maxim Cournoyer @ 2022-03-23  2:32 UTC (permalink / raw)
  To: Léo Le Bouter; +Cc: 47319-done

Hi,

Léo Le Bouter <lle-bout@zaclys.net> writes:

> CVE-2021-28957	21.03.21 06:15
> lxml 4.6.2 places the HTML action attribute into defs.link_attrs (in
> html/defs.py) for later use in input sanitization, but does not do the
> same for the HTML5 formaction attribute.
>
> Upstream fixed it in 4.6.3 (
> https://github.com/lxml/lxml/commit/2d01a1ba8984e0483ce6619b972832377f208a0d
> ), so we should probably upgrade to that.

This is the current version in Guix.

Closing; thanks!

Maxim




^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2022-03-23  2:34 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-22 14:09 bug#47319: python-lxml is vulnerable to CVE-2021-28957 Léo Le Bouter via Bug reports for GNU Guix
2021-03-23 15:29 ` Léo Le Bouter via Bug reports for GNU Guix
2021-03-23 17:55 ` Leo Famulari
2021-04-05 23:54   ` Mark H Weaver
2022-03-23  2:32 ` Maxim Cournoyer

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).